commit: 3ea5bb0c62bc9d8073192273fa311f60c4503c99 Author: Mike Gilbert <floppym <AT> gentoo <DOT> org> AuthorDate: Thu Feb 5 21:08:14 2026 +0000 Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> CommitDate: Thu Feb 5 21:18:02 2026 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ea5bb0c
net-misc/iputils: rework filecaps support iputils uses libcap to enable/disable caps at run time. When libcap is disabled, iputils calls seteuid() to elevate/drop privs. For best results, we should require libcap (USE=caps) whenever filecaps are enabled to ensure permissions can be dropped when appropriate. Note that the ping command does not always require CAP_NET_RAW since we enabled the net.ipv4.ping_group_range sysctl setting. However, the -m option still requires CAP_NET_RAW or CAP_NET_ADMIN depending on the kernel version. Bug: https://bugs.gentoo.org/962112 Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org> ...s-20250605-r1.ebuild => iputils-20250605-r2.ebuild} | 18 ++++++++++++++---- net-misc/iputils/iputils-99999999.ebuild | 18 ++++++++++++++---- 2 files changed, 28 insertions(+), 8 deletions(-) diff --git a/net-misc/iputils/iputils-20250605-r1.ebuild b/net-misc/iputils/iputils-20250605-r2.ebuild similarity index 86% rename from net-misc/iputils/iputils-20250605-r1.ebuild rename to net-misc/iputils/iputils-20250605-r2.ebuild index c0a647d9a2ee..1e55674d7085 100644 --- a/net-misc/iputils/iputils-20250605-r1.ebuild +++ b/net-misc/iputils/iputils-20250605-r2.ebuild @@ -36,7 +36,8 @@ LICENSE=" tracepath? ( GPL-2+ ) " SLOT="0" -IUSE="+arping caps clockdiff doc idn nls test tracepath" +IUSE="+arping +caps clockdiff doc idn nls test tracepath" +REQUIRED_USE="filecaps? ( caps )" RESTRICT="!test? ( test )" RDEPEND=" @@ -116,9 +117,18 @@ src_test() { src_install() { meson_src_install - FILECAPS=( cap_net_raw usr/bin/ping ) - use arping && FILECAPS+=( usr/bin/arping ) - use clockdiff && FILECAPS+=( usr/bin/clockdiff ) + # See build-aux/setcap-setuid.sh + # For suidctl compat: enable suid in src_install and remove it if fcaps is successful + fperms u+s /usr/bin/ping + FILECAPS=( -M u-s cap_net_admin,cap_net_raw+p usr/bin/ping ) + if use arping; then + fperms u+s /usr/bin/arping + FILECAPS+=( -- -M u-s cap_net_raw+p usr/bin/arping ) + fi + if use clockdiff; then + fperms u+s /usr/bin/clockdiff + FILECAPS+=( -- -M u-s cap_net_raw,cap_sys_nice+ep usr/bin/clockdiff ) + fi dosym ping /usr/bin/ping4 dosym ping /usr/bin/ping6 diff --git a/net-misc/iputils/iputils-99999999.ebuild b/net-misc/iputils/iputils-99999999.ebuild index 1904e55249a6..43f9ea46b947 100644 --- a/net-misc/iputils/iputils-99999999.ebuild +++ b/net-misc/iputils/iputils-99999999.ebuild @@ -36,7 +36,8 @@ LICENSE=" tracepath? ( GPL-2+ ) " SLOT="0" -IUSE="+arping caps clockdiff doc idn nls test tracepath" +IUSE="+arping +caps clockdiff doc idn nls test tracepath" +REQUIRED_USE="filecaps? ( caps )" RESTRICT="!test? ( test )" RDEPEND=" @@ -112,9 +113,18 @@ src_test() { src_install() { meson_src_install - FILECAPS=( cap_net_raw usr/bin/ping ) - use arping && FILECAPS+=( usr/bin/arping ) - use clockdiff && FILECAPS+=( usr/bin/clockdiff ) + # See build-aux/setcap-setuid.sh + # For suidctl compat: enable suid in src_install and remove it if fcaps is successful + fperms u+s /usr/bin/ping + FILECAPS=( -M u-s cap_net_admin,cap_net_raw+p usr/bin/ping ) + if use arping; then + fperms u+s /usr/bin/arping + FILECAPS+=( -- -M u-s cap_net_raw+p usr/bin/arping ) + fi + if use clockdiff; then + fperms u+s /usr/bin/clockdiff + FILECAPS+=( -- -M u-s cap_net_raw,cap_sys_nice+ep usr/bin/clockdiff ) + fi dosym ping /usr/bin/ping4 dosym ping /usr/bin/ping6
